CVE-2021-2161 – OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568)
https://notcve.org/view.php?id=CVE-2021-2161
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://docs.azul.com/core/zulu-openjdk/release-notes/april-2021.html#fixed-common-vulnerabilities-and-exposures https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://lists.debian.org/debian-lts-announce/2021/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5ACX4JEVYH6H4PSMGMYWTGABPOFPH3TS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CFXOKM2233JVGYDOWW77BN54X3GZTIBK https://lists.fedoraproject.org/archives/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-2163 – OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)
https://notcve.org/view.php?id=CVE-2021-2163
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. • https://lists.debian.org/debian-lts-announce/2021/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5ACX4JEVYH6H4PSMGMYWTGABPOFPH3TS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CFXOKM2233JVGYDOWW77BN54X3GZTIBK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CG7EWXSO6JUCVHP7R3SOZQ7WPNBOISJH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MAULPCQFLAMBJIS27YLNNX6I • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2020-14312
https://notcve.org/view.php?id=CVE-2020-14312
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. Se encontró un fallo en la configuración predeterminada de dnsmasq, como es enviado con Fedora versiones anteriores a 31 y en todas las versiones de Red Hat Enterprise Linux, donde escucha en cualquier interfaz y acepta consultas de direcciones fuera de su subred local. • https://bugzilla.redhat.com/show_bug.cgi?id=1851342 • CWE-284: Improper Access Control •
CVE-2012-4451
https://notcve.org/view.php?id=CVE-2012-4451
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Zend Framework versiones 2.0.x anteriores a la versión 2.0.1, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de una entrada no especificada en (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, o (8) View\Helper\Placeholder\Container\AbstractStandalone, relacionado con Escaper. • http://framework.zend.com/security/advisory/ZF2012-03 http://seclists.org/oss-sec/2012/q3/571 http://seclists.org/oss-sec/2012/q3/573 http://www.securityfocus.com/bid/55636 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10 https://bugs.gentoo.org/show_bug.cgi?id=436210 https://bugzilla.redhat.com/show_bug.cgi?id=860738 https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-5645
https://notcve.org/view.php?id=CVE-2012-5645
A denial of service flaw was found in the way the server component of Freeciv before 2.3.4 processed certain packets. A remote attacker could send a specially-crafted packet that, when processed would lead to memory exhaustion or excessive CPU consumption. Se encontró un fallo de denegación de servicio en la manera en que el componente Freeciv del servidor versiones anteriores a la versión 2.3.4 procesaba ciertos paquetes. Un atacante remoto podría enviar un paquete especialmente diseñado que, cuando se procese, conllevaría al agotamiento de la memoria o el consumo excesivo de la CPU. • http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095378.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095381.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096391.html http://www.openwall.com/lists/oss-security/2012/12/18/5 http://www.openwall.com/lists/oss-security/2012/12/22/4 http://www.openwall.com/lists/oss-security/2012/12/30/11 http://www.openwall.com/lists/oss-security/2012/12/30/8 http: • CWE-400: Uncontrolled Resource Consumption •